That's messed up if true, but why would a ransomware operator target them? I mean like, they don't really target, they just wait for people to install something right?
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
I'm not experiencing any surprise that the hospitals are attacked, I know that happens, I am experiencing surprise at three government agencies hanging out in a chatroom where hackers are credibly discussing attacking a bunch of hospitals with ransomware.
My understanding is that the ransomware operators just take a look at computers that are infected, and then negotiate based on who they appear to be.
I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.
With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.
At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.
This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.
I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.
> It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]
Just pointing out that this is a little misleading. The link you're referencing refers to the first ever reported hospital death related to a hospital's ransomware attack, and this article was from just a month ago (I remember, I read it on Hacker News too). But the juxtaposition of these sentences might suggest that death-by-ransomware-in-hospitals has been a common occurrence for quite some time.
Ransomware shops don't sit passively by, waiting for someone to install a trojan. Some of them are actually outsourcing the actual penetration, according to Krebs:
the only reason that's unlikely is because the effort behind this level of conspiracy is just so unnecessary to having a viable business plan
its like yeaaah maaaybe there is one connected and high tech operation that all the world leaders heard about in their whatsapp groups, but my experience with "people with connections" are that they are so low tech and dumb that its almost impossible for them to get the correct clandestine hacker group in play
While the initial infection of a single workstation is often done by pray-and-spray phishing attacks, the common practice for modern ransomware attacks is that this is followed by a manually controlled attack by skilled teams, spreading throughout the network and servers is not done by an automated virus, it's done by controlled malware; and the encryption is manually triggered when they think that the preparations are complete to do maximum damage, backups have been disabled/corrupted, etc.
So they do target the extortion; already the decision to move on from that initial foothold will be based on the understanding of what institution it is and how much they would be willing to pay. In this case, they have intentionally targeted hospitals.
> Thieves must be heartless to go after such desperate targets.
I mean it's the mafia, same people that traffic women and children, drugs,... profit is the motive, they don't care how. Just because they are now sitting behind a computer doesn't change their nature.
I've been in a hospital recently and they were still running windows XP, my doctor using IE8 (cause activeX on the intranet) and Excel... But hey, they run anti-viruses!... Public institutions absolutely need to get rid of all that ASAP.
Lookup these Internet scammers videos on YouTube. These scammers are heartless. They terrorise old people when they don't comply, claim they are calling the police (on the victim for not paying fake invoices), even playing police siren sounds in the background. If they could scam a hospital they would in a heartbeat.
The smart contract would just wait for payment and the control server would watch for payments. the victim would still have to trust that this process was in place, but for operator can have it completely automated
doesn't actually have to be a smart contract, just any address essentially. but a smart contract could allow for many more features, not sure if you'd really want that here
I'm imagining that "keep this value secret until payment is made" could be handled entirely on the blockchain, so that there is no C&C to shut down. But I'm not actually that familiar with the capabilities and limitations of smart contracts.
ah okay, Secrets (formerly Enigma) is a crypto-payments smart-contracts technology to look into for this. Otherwise you run into the problem of everything being stored onchain and visible or there would always have to be some oracle system that has the secret. I'm not sure if Secrets solves this use case, their main thing is storing secrets in the encrypted-key co-processors client side, but they might have other offerings.
you can write the contract and always automatically get a cut if you get people to use it, no negotiations, no contracts, no incorporation - the overhead costs to making money have never been lower
people are talking themselves out of how to use cryptocurrency and smart contracts, its like something Plato would write
